-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
hubble-relay port-fording : context deadline exceeded / error reading server preface: EOF #1356
Comments
Does anyone have a idea for a workaround to use hubble ? |
What you can try doing is accessing the Hubble Relay service via the Hubble CLI (e.g. from within a Cilium agent pod) and check if everything is fine there (e.g. |
many thanks @rolinh for your suggestion. This is a good workaround. $ kubectl exec -ti ds/cilium -c cilium-agent -- hubble observe --since 10m --follow --namespace kube-system
|
Edit : the trick does not work as expected : the cilium pod only observes workloads that run on the same node. if running |
Yes, by default the Hubble CLI on the pod queries the local hubble server. Howver, you can point it to the hubble-relay service instead by either using the
|
Current status :
Let's dig a bit further. Here are the cilium pods running on 3 masters and 3 workers : $ kubectl get pod -n kube-system -l k8s-app=cilium -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
cilium-2q56l 1/1 Running 0 11h 100.94.2.140 k8ststworker-3 <none> <none>
cilium-5wdv5 1/1 Running 0 11h 100.94.2.45 k8ststmaster-1 <none> <none>
cilium-lsgfm 1/1 Running 0 11h 100.182.210.97 k8ststworker-2 <none> <none>
cilium-vnllq 1/1 Running 0 11h 100.94.2.86 k8ststmaster-2 <none> <none>
cilium-w7lph 1/1 Running 0 11h 100.94.2.34 k8ststmaster-3 <none> <none>
cilium-z65zm 1/1 Running 0 11h 100.94.2.101 k8ststworker-1 <none> <none> The first trick that works if I choose a worker node : $ kubectl exec -ti pod/cilium-2q56l -c cilium-agent -n kube-system -- hubble observe --since 1m --namespace sxxxxxxl -l section=wxxxxxr
Feb 20 06:57:25.239: sxxxxxxl/zincsearch-0:43618 (ID:63357) -> 74.192.137.83:443 (world) to-stack FORWARDED (TCP Flags: ACK, PSH)
Feb 20 06:57:25.239: sxxxxxxl/zincsearch-0:43618 (ID:63357) -> 74.192.137.83:443 (world) to-stack FORWARDED (TCP Flags: ACK, FIN)
Feb 20 06:57:25.243: sxxxxxxl/zincsearch-0:43618 (ID:63357) <- 74.192.137.83:443 (world) to-endpoint FORWARDED (TCP Flags: ACK)
Feb 20 06:57:25.243: sxxxxxxl/zincsearch-0:43618 (ID:63357) <- 74.192.137.83:443 (world) to-endpoint FORWARDED (TCP Flags: ACK, FIN)
Feb 20 06:57:25.243: sxxxxxxl/zincsearch-0:43618 (ID:63357) -> 74.192.137.83:443 (world) to-stack FORWARDED (TCP Flags: ACK)
Feb 20 06:57:28.645: 10.233.65.97:43796 (host) -> sxxxxxxl/zincsearch-0:4080 (ID:63357) policy-verdict:L3-Only INGRESS ALLOWED (TCP Flags: SYN)
Feb 20 06:57:28.645: 10.233.65.97:43796 (host) -> sxxxxxxl/zincsearch-0:4080 (ID:63357) to-endpoint FORWARDED (TCP Flags: SYN) Same command with exec to a master node -> no answer, no line displayed, hubble looks blind. $ kubectl exec -ti pod/cilium-vnllq -c cilium-agent -n kube-system -- hubble observe --since 1m --namespace sxxxxxxl -l section=wxxxxxr Now we try variable $ kubectl exec -ti pod/cilium-2q56l -c cilium-agent -n kube-system -- bash
root@k8ststworker-3:/home/cilium# HUBBLE_SERVER=hubble-relay.kube-system:80 hubble observe --since 1m --namespace sxxxxxxl -l section=wxxxxxr
failed to connect to 'hubble-relay.kube-system:80': connection error: desc = "transport: error while dialing: dial tcp 10.233.3.157:80: connect: connection refused"
root@k8ststworker-3:/home/cilium# host hubble-relay.kube-system
bash: host: command not found
root@k8ststworker-3:/home/cilium# getent hosts hubble-relay.kube-system
10.233.3.157 hubble-relay.kube-system.svc.cluster.local
root@k8ststworker-3:/home/cilium#
exit service/hubble-relay listens on 443, not 80. Not that hubble-relay pod had been scheduled to a worker node : $ kubectl get svc,ep,pod -l k8s-app=hubble-relay -n kube-system -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service/hubble-relay ClusterIP 10.233.3.157 <none> 443/TCP 42d k8s-app=hubble-relay
service/hubble-relay-metrics ClusterIP None <none> 9966/TCP 42d k8s-app=hubble-relay
NAME ENDPOINTS AGE
endpoints/hubble-relay 10.233.65.168:4245 42d
endpoints/hubble-relay-metrics <none> 42d
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod/hubble-relay-b4df78f74-p2rhd 1/1 Running 0 11h 10.233.65.168 k8ststworker-3 <none> <none> So let's try port 443 from the same worker node : $ kubectl exec -ti pod/cilium-2q56l -c cilium-agent -n kube-system -- bash
root@k8ststworker-3:/home/cilium# HUBBLE_SERVER=hubble-relay.kube-system:443 hubble observe --since 1m --namespace sxxxxxxl -l section=wxxxxxr
failed to connect to 'hubble-relay.kube-system:443': context deadline exceeded: connection error: desc = "error reading server preface: EOF" Conclusions :
Any idea ? |
There's a new bit of information: the hubble-relay service runs on port 443. This means you enabled TLS for the Relay service so you will need to enforce TLS using the Hubble CLI:
|
Issue is SOLVED thanks to @rolinh. It was a TLS issue. $ cilium hubble port-forward &
$ hubble config set tls true
$ hubble config set tls-allow-insecure true
$
$ cat ~/.config/hubble/config.yaml
tls: true
tls-allow-insecure: true
$
$ hubble status
Healthcheck (via localhost:4245): Ok
Current/Max Flows: 24,570/24,570 (100.00%)
Flows/s: 51.15
Connected Nodes: 6/6
$
$ hubble observe -n trivy-system --since 1m
Feb 20 14:05:47.862: trivy-system/trivy-operator-69cff49598-kwvgq:44670 (ID:3610) <- 100.94.2.25:443 (kube-apiserver) to-endpoint FORWARDED (TCP Flags: ACK, PSH)
Feb 20 14:05:47.862: trivy-system/trivy-operator-69cff49598-kwvgq:44670 (ID:3610) -> 100.94.2.25:6443 (kube-apiserver) to-stack FORWARDED (TCP Flags: ACK)
Feb 20 14:05:49.827: 10.233.70.129:49776 (host) -> trivy-system/trivy-operator-69cff49598-kwvgq:9090 (ID:3610) to-endpoint FORWARDED (TCP Flags: SYN)
Feb 20 14:05:49.827: 10.233.70.129:49776 (host) <- trivy-system/trivy-operator-69cff49598-kwvgq:9090 (ID:3610) to-stack FORWARDED (TCP Flags: SYN, ACK) |
summary
Cannot use hubble from port-forwarding to hubble-relay
demo
context and versions
info
There is this strange message "no cilium pods found in namespace "kube-system" - although
cilium status
find pods and images references as expected.Everything looks fine :
what we have tried
what we have read before
The text was updated successfully, but these errors were encountered: